{"id":56410,"date":"2024-06-26T13:34:32","date_gmt":"2024-06-26T13:34:32","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/36037\/Probllama-Ollama-Remote-Code-Execution-Vulnerability.html"},"modified":"2024-06-26T13:34:32","modified_gmt":"2024-06-26T13:34:32","slug":"probllama-ollama-remote-code-execution-vulnerability","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/probllama-ollama-remote-code-execution-vulnerability\/","title":{"rendered":"Probllama: Ollama Remote Code Execution Vulnerability"},"content":{"rendered":"

Ollama<\/u><\/a> is one of the most popular open-source projects for running AI Models, with over 70k stars on GitHub<\/u><\/a> and hundreds of thousands of monthly pulls on Docker Hub<\/u><\/a>. Inspired by Docker, Ollama aims to simplify the process of packaging and deploying AI models. <\/p>\n

Wiz Research discovered an easy-to-exploit Remote Code Execution vulnerability in Ollama: CVE-2024-37032, dubbed \u201cProbllama.\u201d This security issue was responsibly disclosed to Ollama\u2019s maintainers and has since been mitigated. Ollama users are encouraged to upgrade their Ollama installation to version 0.1.34 or newer. <\/p>\n

Our research indicates that, as of June 10, there are a large number of Ollama instances running a vulnerable version that are exposed to the internet. In this blog post, we will detail what we found and how we found it, as well as mitigation techniques and preventative measures organizations can take moving forward.  <\/p>\n

Taken as a whole \u2013 and in light of the Wiz Research team\u2019s ongoing focus on the risk inherent to AI systems \u2013 our findings underscore the fact that AI security measure<\/a>s have been largely sidelined in favor of focusing on the transformative power of this technology, and its potential to revolutionize the way business gets done.  <\/p>\n

Organizations are rapidly adopting a variety of new AI tools and infrastructure in an attempt to hone their competitive edge. These tools are often at an early stage of development and lack standardized security features, such as authentication. Additionally, due to their young code base, it is relatively easier to find critical software vulnerabilities, making them perfect targets for potential threat actors. This is a recurring theme in our discoveries \u2013 see prior Wiz Research work on AI-as-a-service-providers Hugging Face<\/u><\/a> and Replicate<\/u><\/a>, as well as our State of AI in the Cloud<\/em><\/u> report<\/u><\/a> and last year\u2019s discovery of 38TB of data<\/u><\/a> that was accidentally leaked by AI researchers.  <\/p>\n

Over the past year, multiple remote code execution (RCE) vulnerabilities were identified in inference servers, including TorchServe, Ray Anyscale, and Ollama. These vulnerabilities could allow attackers to take over self-hosted AI inference servers, steal or modify AI models, and compromise AI applications.  <\/p>\n

The critical issue is not just the vulnerabilities themselves but the inherent lack of authentication support in these new tools. If exposed to the internet, any attacker can connect to them, steal or modify the AI models, or even execute remote code as a built-in feature (as seen with TorchServe and Ray Anyscale<\/u><\/a>). The lack of authentication support means these tools should never be exposed externally without protective middleware, such as a reverse proxy with authentication. Despite this, when scanning the internet for exposed Ollama servers, our scan revealed over 1,000 exposed instances hosting numerous AI models, including private models not listed in the Ollama public repository, highlighting a significant security gap. <\/p>\n

To exploit this vulnerability, an attacker must send specially crafted HTTP requests to the Ollama API server. In the default Linux installation<\/u><\/a>, the API server binds to localhost, which reduces remote exploitation risk significantly. However, in docker deployments<\/strong> (ollama\/ollama<\/u><\/a>), the API server is publicly exposed<\/strong>, and therefore could be exploited remotely. <\/p>\n

Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment. <\/p>\n

Why research Ollama? <\/h2>\n

Our research team makes an active effort to contribute to the security of AI services, tooling, and infrastructure, and we also use AI in our research work. <\/p>\n

For a different project, we looked to leverage a large-context AI model. Luckily, around that time, Gradient released their Llama3 version which has a context of 1m tokens<\/u><\/a>.  <\/p>\n

Being one of the most popular open-source projects for running AI Models with over 70k stars on GitHub<\/u><\/a> and hundreds of thousands of monthly pulls on Docker Hub<\/u><\/a>, Ollama seemed to be the simplest way to self-host that model<\/u><\/a> ????. <\/p>\n